DOCSLIB.ORG

Fiat-Shamir Via List-Recoverable Codes (Or: Parallel Repetition of GMW Is Not Zero-Knowledge)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Fiat-Shamir Via List-Recoverable Codes (Or: Parallel Repetition of GMW Is Not Zero-Knowledge) Fiat-Shamir via List-Recoverable Codes (or: Parallel Repetition of GMW is not Zero-Knowledge) Justin Holmgren∗ Alex Lombardi† Ron D. Rothblum‡ March 6, 2021 Abstract Shortly after the introduction of zero-knowledge proofs, Goldreich, Micali and Wigderson (CRYPTO ’86) demonstrated their wide applicability by constructing zero-knowledge proofs for the NP-complete problem of graph 3-coloring. A long-standing open question has been whether parallel repetition of their protocol preserves zero knowledge. In this work, we answer this question in the negative, assuming a standard cryptographic assumption (i.e., the hardness of learning with errors (LWE)). Leveraging a connection observed by Dwork, Naor, Reingold, and Stockmeyer (FOCS ’99), our negative result is obtained by making positive progress on a related fundamental problem in cryptography: securely instantiating the Fiat-Shamir heuristic for eliminating interaction in public-coin interactive protocols. A recent line of works has shown how to instantiate the heuristic securely, albeit only for a limited class of protocols. Our main result shows how to instantiate Fiat-Shamir for parallel repetitions of much more general interactive proofs. In particular, we construct hash functions that, assuming LWE, securely realize the Fiat-Shamir transform for the following rich classes of protocols: 1. The parallel repetition of any “commit-and-open” protocol (such as the GMW protocol mentioned above), when a specific (natural) commitment scheme is used. Commit-and- open protocols are a ubiquitous paradigm for constructing general purpose public-coin zero knowledge proofs. 2. The parallel repetition of any base protocol that (1) satisfies a stronger notion of sound- ness called round-by-round soundness, and (2) has an efficient procedure, using a suitable trapdoor, for recognizing “bad verifier randomness” that would allow the prover to cheat. Our results are obtained by establishing a new connection between the Fiat-Shamir trans- form and list-recoverable codes. In contrast to the usual focus in coding theory, we focus on a parameter regime in which the input lists are extremely large, but the rate can be small. We give a (probabilistic) construction based on Parvaresh-Vardy codes (FOCS ’05) that suffices for our applications. ∗NTT Research. Email: [email protected]. †MIT. Email: [email protected]. Research conducted in part while the author was an intern at NTT Research. Research supported in part by an NDSEG fellowship. Research supported in part by NSF Grants CNS-1350619 and CNS-1414119, and by the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under contracts W911NF-15-C-0226 and W911NF-15-C-0236. ‡Technion. Email: [email protected]. Supported in part by a Milgrom family grant, by the Israeli Science Foundation (Grants No. 1262/18 and 2137/19), and grants from the Technion Hiroshi Fujiwara cyber security research center and Israel cyber directorate. Contents 1 Introduction 1 1.1 Securely Instantiating Fiat-Shamir............................2 1.2 Technical Overview.....................................6 1.3 Reflections: Fiat-Shamir via Coding Theory....................... 13 1.4 Related Work........................................ 14 1.4.1 Correlation Intractability and Fiat-Shamir.................... 14 1.4.2 List-Recoverable Codes and Cryptography.................... 16 2 Preliminaries 17 2.1 Interactive Proofs and Zero-Knowledge.......................... 17 2.2 Cryptographic Primitives and Assumptions....................... 18 2.3 Correlation-Intractable Hash Functions.......................... 19 2.4 The Fiat-Shamir Transform................................ 20 2.5 Error Correcting Codes and List Recovery........................ 21 2.6 Concentration Inequalities................................. 22 3 Derandomization for Correlation Intractability 22 3.1 Correlation Intractability via List Recovery....................... 22 3.2 Handling Large Alphabets via Subsampling....................... 24 4 Basic List Recovery Bounds 25 5 Fiat-Shamir for Commit-And-Open Protocols 28 5.1 Correlation Intractability for Efficiently Verifiable Product Relations......... 28 5.2 Fiat-Shamir for Trapdoor 3-Message Protocols..................... 30 5.3 Commit and Open Protocols............................... 32 5.4 Zero Knowledge is Not Preserved by Parallel Repetition................ 33 6 Fiat-Shamir for Round-By-Round Sound Protocols 33 6.1 CI for Efficiently Verifiable Approximate Product Relations.............. 34 6.2 Applications to Fiat-Shamir for Round-by-Round Sound Protocols.......... 36 6.2.1 Notions of Bad Challenge Efficient Decidability................. 38 6.2.2 Putting Everything Together........................... 39 1 Introduction Zero-knowledge proofs, introduced by Goldwasser, Micali and Rackoff [GMR85], are a beauti- fully paradoxical construct. Such proofs allow a prover to convince a verifier that an assertion is true without revealing anything beyond that to the verifier. Soon after the introduction of zero- knowledge proofs, Goldreich, Micali and Wigderson [GMW86] constructed a zero-knowledge proof system (henceforth referred to as the GMW protocol) for the 3-coloring problem. This result is a cornerstone in the development of zero-knowledge proofs, since 3-coloring is NP-complete, and so the GMW protocol actually yields zero-knowledge proofs for any problem in NP. Roughly speaking, the idea underlying the GMW protocol is for the prover to commit (via a cryptographic commitment scheme) to a random 3-coloring of the graph. The verifier chooses a random edge and the prover decommits to the colors of the two endpoints. Intuitively, the protocol is zero-knowledge since the verifier (even if acting maliciously) knows what to expect: two random different colors. An important point however is that this base protocol has poor soundness. For example, suppose that the input graph G = (V, E) is not 3-colorable, but has a coloring that miscolors only one edge. In such a case, the verifier’s probability of detecting the monochromatic edge is only 1/|E|. Thankfully, the soundness of the GMW protocol (or any other interactive proof) can be amplified by repetition. That is, in order to reduce the soundness error, one can repeat the base GMW protocol multiple times, either sequentially or in parallel, using independent coin tosses in each repetition (for both parties). At the end of the interaction the verifier accepts if and only if the base verifier accepted in all of the repetitions. Repetition indeed reduces the soundness error, but does it preserve zero-knowledge? While it is relatively straightforward to argue that sequential repetition indeed preserves zero-knowledge [GO94], this yields a protocol with a prohibitively large number of rounds. Thus, a major question in the field is whether parallel repetition also preserves zero-knowledge.1 Curiously, it has long been known that parallel repetition does not preserve zero-knowledge for some (contrived) protocols [GK96]. However, for “naturally occurring” protocols, the question remained open for decades. A sequence of recent works [KRR17,CCRR18,HL18,CCH +18] showed that zero-knowledge is not preserved by repetition in very high generality (in fact, general 3- message zero-knowledge proofs can be ruled out [FGJ18]), but these works relied on extremely strong, non-falsifiable, and/or poorly understood cryptographic assumptions. The first progress on this question based on standard assumptions was due to Canetti et al. [CCH+19] and Peikert and Shiehian [PS19], who showed that some classical ZK protocols [GMR85, Blu86] fail to remain ZK under parallel repetition. However, their results conspicuously fail to capture the GMW protocol (and indeed fail to capture “most” protocols). Thus, an answer to the following basic question has remained elusive for over 30 years [DNRS99, BLV03]: Does parallel repetition of the GMW protocol preserve zero-knowledge (under standard cryptographic assumptions)? As one of our main results, we answer this question in the negative, assuming the hardness of learning with errors (LWE)[Reg03]. 1In particular, a positive resolution of this question would yield 3-message zero-knowledge proofs for all of NP (as- suming also non-interactive commitments), thereby settling the long-standing open problem of the round complexity of zero-knowledge proofs. 1 Theorem 1.1 (Informally Stated, see Theorem 5.13). Assume that LWE holds. Then, there exists a commitment scheme C (in the common random string model) and a polynomial t such that t-fold parallel repetition of the GMW protocol (using C as its commitment scheme) is not zero-knowledge. We briefly make two remarks on Theorem 1.1: • The commitment scheme C used in order to prove Theorem 1.1 is a natural one.2 The common random string consists of a public-key of an encryption scheme (which if using a suitable encryption scheme can simply be a uniformly random string). One commits by simply encrypting messages and decommits by revealing the randomness used in the encryption. Still, we point out that Theorem 1.1 leaves open the possibility that parallel repetition of GMW is zero-knowledge when instantiated with a specially tailored commitment scheme. • The number of repetitions t for which we can show that the t-fold parallel repetition of GMW has negl(λ) soundness error, but is not zero knowledge, is |E(G)| · λ, where |E(G)| denotes the number of edges in the graph and λ is a security parameter. However, we still leave open a (very) small window of possible
Load more

Recommended publications
  • Distance-Sensitive Hashing∗
    Distance-Sensitive Hashing∗ Martin Aumüller Tobias Christiani IT University of Copenhagen IT University of Copenhagen [email protected] [email protected] Rasmus Pagh Francesco Silvestri IT University of Copenhagen University of Padova [email protected] [email protected] ABSTRACT tight up to lower order terms. In particular, we extend existing Locality-sensitive hashing (LSH) is an important tool for managing LSH lower bounds, showing that they also hold in the asymmetric high-dimensional noisy or uncertain data, for example in connec- setting. tion with data cleaning (similarity join) and noise-robust search (similarity search). However, for a number of problems the LSH CCS CONCEPTS framework is not known to yield good solutions, and instead ad hoc • Theory of computation → Randomness, geometry and dis- solutions have been designed for particular similarity and distance crete structures; Data structures design and analysis; • Informa- measures. For example, this is true for output-sensitive similarity tion systems → Information retrieval; search/join, and for indexes supporting annulus queries that aim to report a point close to a certain given distance from the query KEYWORDS point. locality-sensitive hashing; similarity search; annulus query In this paper we initiate the study of distance-sensitive hashing (DSH), a generalization of LSH that seeks a family of hash functions ACM Reference Format: Martin Aumüller, Tobias Christiani, Rasmus Pagh, and Francesco Silvestri. such that the probability of two points having the same hash value is 2018. Distance-Sensitive Hashing. In Proceedings of 2018 International Confer- a given function of the distance between them. More precisely, given ence on Management of Data (PODS’18).
    [Show full text]
  • Arxiv:2102.08942V1 [Cs.DB]
    A Survey on Locality Sensitive Hashing Algorithms and their Applications OMID JAFARI, New Mexico State University, USA PREETI MAURYA, New Mexico State University, USA PARTH NAGARKAR, New Mexico State University, USA KHANDKER MUSHFIQUL ISLAM, New Mexico State University, USA CHIDAMBARAM CRUSHEV, New Mexico State University, USA Finding nearest neighbors in high-dimensional spaces is a fundamental operation in many diverse application domains. Locality Sensitive Hashing (LSH) is one of the most popular techniques for finding approximate nearest neighbor searches in high-dimensional spaces. The main benefits of LSH are its sub-linear query performance and theoretical guarantees on the query accuracy. In this survey paper, we provide a review of state-of-the-art LSH and Distributed LSH techniques. Most importantly, unlike any other prior survey, we present how Locality Sensitive Hashing is utilized in different application domains. CCS Concepts: • General and reference → Surveys and overviews. Additional Key Words and Phrases: Locality Sensitive Hashing, Approximate Nearest Neighbor Search, High-Dimensional Similarity Search, Indexing 1 INTRODUCTION Finding nearest neighbors in high-dimensional spaces is an important problem in several diverse applications, such as multimedia retrieval, machine learning, biological and geological sciences, etc. For low-dimensions (< 10), popular tree-based index structures, such as KD-tree [12], SR-tree [56], etc. are effective, but for higher number of dimensions, these index structures suffer from the well-known problem, curse of dimensionality (where the performance of these index structures is often out-performed even by linear scans) [21]. Instead of searching for exact results, one solution to address the curse of dimensionality problem is to look for approximate results.
    [Show full text]
  • SIGMOD Flyer
    DATES: Research paper SIGMOD 2006 abstracts Nov. 15, 2005 Research papers, 25th ACM SIGMOD International Conference on demonstrations, Management of Data industrial talks, tutorials, panels Nov. 29, 2005 June 26- June 29, 2006 Author Notification Feb. 24, 2006 Chicago, USA The annual ACM SIGMOD conference is a leading international forum for database researchers, developers, and users to explore cutting-edge ideas and results, and to exchange techniques, tools, and experiences. We invite the submission of original research contributions as well as proposals for demonstrations, tutorials, industrial presentations, and panels. We encourage submissions relating to all aspects of data management defined broadly and particularly ORGANIZERS: encourage work that represent deep technical insights or present new abstractions and novel approaches to problems of significance. We especially welcome submissions that help identify and solve data management systems issues by General Chair leveraging knowledge of applications and related areas, such as information retrieval and search, operating systems & Clement Yu, U. of Illinois storage technologies, and web services. Areas of interest include but are not limited to: at Chicago • Benchmarking and performance evaluation Vice Gen. Chair • Data cleaning and integration Peter Scheuermann, Northwestern Univ. • Database monitoring and tuning PC Chair • Data privacy and security Surajit Chaudhuri, • Data warehousing and decision-support systems Microsoft Research • Embedded, sensor, mobile databases and applications Demo. Chair Anastassia Ailamaki, CMU • Managing uncertain and imprecise information Industrial PC Chair • Peer-to-peer data management Alon Halevy, U. of • Personalized information systems Washington, Seattle • Query processing and optimization Panels Chair Christian S. Jensen, • Replication, caching, and publish-subscribe systems Aalborg University • Text search and database querying Tutorials Chair • Semi-structured data David DeWitt, U.
    [Show full text]
  • Lower Bounds on Lattice Sieving and Information Set Decoding
    Lower bounds on lattice sieving and information set decoding Elena Kirshanova1 and Thijs Laarhoven2 1Immanuel Kant Baltic Federal University, Kaliningrad, Russia [email protected] 2Eindhoven University of Technology, Eindhoven, The Netherlands [email protected] April 22, 2021 Abstract In two of the main areas of post-quantum cryptography, based on lattices and codes, nearest neighbor techniques have been used to speed up state-of-the-art cryptanalytic algorithms, and to obtain the lowest asymptotic cost estimates to date [May{Ozerov, Eurocrypt'15; Becker{Ducas{Gama{Laarhoven, SODA'16]. These upper bounds are useful for assessing the security of cryptosystems against known attacks, but to guarantee long-term security one would like to have closely matching lower bounds, showing that improvements on the algorithmic side will not drastically reduce the security in the future. As existing lower bounds from the nearest neighbor literature do not apply to the nearest neighbor problems appearing in this context, one might wonder whether further speedups to these cryptanalytic algorithms can still be found by only improving the nearest neighbor subroutines. We derive new lower bounds on the costs of solving the nearest neighbor search problems appearing in these cryptanalytic settings. For the Euclidean metric we show that for random data sets on the sphere, the locality-sensitive filtering approach of [Becker{Ducas{Gama{Laarhoven, SODA 2016] using spherical caps is optimal, and hence within a broad class of lattice sieving algorithms covering almost all approaches to date, their asymptotic time complexity of 20:292d+o(d) is optimal. Similar conditional optimality results apply to lattice sieving variants, such as the 20:265d+o(d) complexity for quantum sieving [Laarhoven, PhD thesis 2016] and previously derived complexity estimates for tuple sieving [Herold{Kirshanova{Laarhoven, PKC 2018].
    [Show full text]
  • Constraint Clustering and Parity Games
    Constrained Clustering Problems and Parity Games Clemens Rösner geboren in Ulm Dissertation zur Erlangung des Doktorgrades (Dr. rer. nat.) der Mathematisch-Naturwissenschaftlichen Fakultät der Rheinischen Friedrich-Wilhelms-Universität Bonn Bonn 2019 1. Gutachter: Prof. Dr. Heiko Röglin 2. Gutachterin: Prof. Dr. Anne Driemel Tag der mündlichen Prüfung: 05. September 2019 Erscheinungsjahr: 2019 Angefertigt mit Genehmigung der Mathematisch-Naturwissenschaftlichen Fakultät der Rheinischen Friedrich-Wilhelms-Universität Bonn Abstract Clustering is a fundamental tool in data mining. It partitions points into groups (clusters) and may be used to make decisions for each point based on its group. We study several clustering objectives. We begin with studying the Euclidean k-center problem. The k-center problem is a classical combinatorial optimization problem which asks to select k centers and assign each input point in a set P to one of the centers, such that the maximum distance of any input point to its assigned center is minimized. The Euclidean k-center problem assumes that the input set P is a subset of a Euclidean space and that each location in the Euclidean space can be chosen as a center. We focus on the special case with k = 1, the smallest enclosing ball problem: given a set of points in m-dimensional Euclidean space, find the smallest sphere enclosing all the points. We combine known results about convex optimization with structural properties of the smallest enclosing ball to create a new algorithm. We show that on instances with rational coefficients our new algorithm computes the exact center of the optimal solutions and has a worst-case run time that is polynomial in the size of the input.
    [Show full text]
  • Approximate Nearest Neighbor: Towards Removing the Curse of Dimensionality
    THEORY OF COMPUTING, Volume 8 (2012), pp. 321–350 www.theoryofcomputing.org SPECIAL ISSUE IN HONOR OF RAJEEV MOTWANI Approximate Nearest Neighbor: Towards Removing the Curse of Dimensionality Sariel Har-Peled∗ Piotr Indyk † Rajeev Motwani ‡ Received: August 20, 2010; published: July 16, 2012. Abstract: We present two algorithms for the approximate nearest neighbor problem in d high-dimensional spaces. For data sets of size n living in R , the algorithms require space that is only polynomial in n and d, while achieving query times that are sub-linear in n and polynomial in d. We also show applications to other high-dimensional geometric problems, such as the approximate minimum spanning tree. The article is based on the material from the authors’ STOC’98 and FOCS’01 papers. It unifies, generalizes and simplifies the results from those papers. ACM Classification: F.2.2 AMS Classification: 68W25 Key words and phrases: approximate nearest neighbor, high dimensions, locality-sensitive hashing 1 Introduction The nearest neighbor (NN) problem is defined as follows: Given a set P of n points in a metric space defined over a set X with distance function D, preprocess P to efficiently answer queries for finding the point in P closest to a query point q 2 X. A particularly interesting case is that of the d-dimensional d Euclidean space where X = R under some `s norm. This problem is of major importance in several ∗Supported by NSF CAREER award CCR-0132901 and AF award CCF-0915984. †Supported by a Stanford Graduate Fellowship, NSF Award CCR-9357849 and NSF CAREER award CCF-0133849.
    [Show full text]
  • Model Checking Large Design Spaces: Theory, Tools, and Experiments
    Iowa State University Capstones, Theses and Graduate Theses and Dissertations Dissertations 2020 Model checking large design spaces: Theory, tools, and experiments Rohit Dureja Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/etd Recommended Citation Dureja, Rohit, "Model checking large design spaces: Theory, tools, and experiments" (2020). Graduate Theses and Dissertations. 18304. https://lib.dr.iastate.edu/etd/18304 This Thesis is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Model checking large design spaces: Theory, tools, and experiments by Rohit Dureja A dissertation submitted to the graduate faculty in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY Major: Computer Science Program of Study Committee: Kristin Y. Rozier, Co-major Professor Gianfranco Ciardo, Co-major Professor Samik Basu Robyn Lutz Hridesh Rajan The student author, whose presentation of the scholarship herein was approved by the program of study committee, is solely responsible for the content of this dissertation. The Graduate College will ensure this dissertation is globally accessible and will not permit alterations after a degree is conferred. Iowa State University Ames, Iowa 2020 Copyright © Rohit Dureja, 2020. All rights reserved. ii DEDICATION To my family. iii TABLE OF CONTENTS LIST OF FIGURES . vi LIST OF TABLES . .x ABSTRACT . xi CHAPTER 1. INTRODUCTION . .1 1.1 Motivation .
    [Show full text]
  • Scalable Nearest Neighbor Search for Optimal Transport∗
    Scalable Nearest Neighbor Search for Optimal Transport∗ Arturs Backursy Yihe Dong Piotr Indyk Ilya Razenshteyn Tal Wagner TTIC Microsoft MIT Microsoft Research MIT September 30, 2020 Abstract The Optimal Transport (a.k.a. Wasserstein) distance is an increasingly popular similarity measure for rich data domains, such as images or text documents. This raises the necessity for fast nearest neighbor search algorithms according to this distance, which poses a substantial computational bottleneck on massive datasets. In this work we introduce Flowtree, a fast and accurate approximation algorithm for the Wasserstein- 1 distance. We formally analyze its approximation factor and running time. We perform extensive experimental evaluation of nearest neighbor search algorithms in the W1 distance on real-world dataset. Our results show that compared to previous state of the art, Flowtree achieves up to 7:4 times faster running time. 1 Introduction Given a finite metric space M = (X; dX ) and two distributions µ and ν on X, the Wasserstein-1 distance (a.k.a. Earth Mover's Distance or Optimal Transport) between µ and ν is defined as X W1(µ, ν) = min τ(x1; x2) · dX (x1; x2); (1) τ x1;x22X where the minimum is taken over all distributions τ on X × X whose marginals are equal to µ and ν.1 The Wasserstein-1 distance and its variants are heavily used in applications to measure similarity in structured data domains, such as images [RTG00] and natural language text [KSKW15]. In particular, [KSKW15] proposed the Word Mover Distance (WMD) for text documents. Each document is seen as a uniform distri- bution over the words it contains, and the underlying metric between words is given by high-dimensional word embeddings such as word2vec [MSC+13] or GloVe [PSM14].
    [Show full text]
  • SETH-Based Lower Bounds for Subset Sum and Bicriteria Path∗
    SETH-Based Lower Bounds for Subset Sum and Bicriteria Path∗ Amir Abboudy Karl Bringmannz Danny Hermelinx Dvir Shabtay{ Abstract 1 Introduction Subset Sum and k-SAT are two of the most extensively The field of fine-grained complexity is anchored around studied problems in computer science, and conjectures about their hardness are among the cornerstones of fine-grained certain hypotheses about the exact time complexity of a complexity. An important open problem in this area is to small set of core problems. Due to dozens of reductions, base the hardness of one of these problems on the other. we now know that the current algorithms for many Our main result is a tight reduction from k-SAT important problems are optimal unless breakthrough to Subset Sum on dense instances, proving that Bellman's 1962 pseudo-polynomial O∗(T )-time algorithm for Subset algorithms for the core problems exist. A central Sum on n numbers and target T cannot be improved to time challenge in this field is to understand the connections T 1−" · 2o(n) for any " > 0, unless the Strong Exponential and relative difficulties among these core problems. In Time Hypothesis (SETH) fails. As a corollary, we prove a \Direct-OR" theorem for this work, we discover a new connection between two Subset Sum under SETH, offering a new tool for proving core problems: a tight reduction from k-SAT to Subset conditional lower bounds: It is now possible to assume that Sum. deciding whether one out of N given instances of Subset In the first part of the introduction we discuss Sum is a YES instance requires time (NT )1−o(1).
    [Show full text]
  • Curriculum Vitae
    Curriculum Vitae David P. Woodruff Biographical Computer Science Department Gates-Hillman Complex Carnegie Mellon University 5000 Forbes Avenue Pittsburgh, PA 15213 Citizenship: United States Email: [email protected] Home Page: http://www.cs.cmu.edu/~dwoodruf/ Research Interests Compressed Sensing, Data Stream Algorithms and Lower Bounds, Dimensionality Reduction, Distributed Computation, Machine Learning, Numerical Linear Algebra, Optimization Education All degrees received from Massachusetts Institute of Technology, Cambridge, MA Ph.D. in Computer Science. September 2007 Research Advisor: Piotr Indyk Thesis Title: Efficient and Private Distance Approximation in the Communication and Streaming Models. Master of Engineering in Computer Science and Electrical Engineering, May 2002 Research Advisor: Ron Rivest Thesis Title: Cryptography in an Unbounded Computational Model Bachelor of Science in Computer Science and Electrical Engineering May 2002 Bachelor of Pure Mathematics May 2002 Professional Experience August 2018-present, Carnegie Mellon University Computer Science Department Associate Professor (with tenure) August 2017 - present, Carnegie Mellon University Computer Science Department Associate Professor June 2018 – December 2018, Google, Mountain View Research Division Visiting Faculty Program August 2007 - August 2017, IBM Almaden Research Center Principles and Methodologies Group Research Scientist Aug 2005 - Aug 2006, Tsinghua University Institute for Theoretical Computer Science Visiting Scholar. Host: Andrew Yao Jun - Jul
    [Show full text]
  • Approximate Nearest Neighbor Search in High Dimensions
    P. I. C. M. – 2018 Rio de Janeiro, Vol. 4 (3305–3336) APPROXIMATE NEAREST NEIGHBOR SEARCH IN HIGH DIMENSIONS A A, P I I R Abstract The nearest neighbor problem is defined as follows: Given a set P of n points in some metric space (X; D), build a data structure that, given any point q, returns a point in P that is closest to q (its “nearest neighbor” in P ). The data structure stores additional information about the set P , which is then used to find the nearest neighbor without computing all distances between q and P . The problem has a wide range of applications in machine learning, computer vision, databases and other fields. To reduce the time needed to find nearest neighbors and the amount of memory used by the data structure, one can formulate the approximate nearest neighbor prob- lem, where the the goal is to return any point p P such that the distance from q to 0 2 p is at most c minp P D(q; p), for some c 1. Over the last two decades many 0 efficient solutions to this2 problem were developed. In this article we survey these de- velopments, as well as their connections to questions in geometric functional analysis and combinatorial geometry. 1 Introduction The nearest neighbor problem is defined as follows: Given a set P of n points in a metric space defined over a set X with distance function D, build a data structure1 that, given any “query” point q X, returns its “nearest neighbor” arg minp P D(q; p).A 2 2 particularly interesting and well-studied case is that of nearest neighbor in geometric spaces, where X = Rd and the metric D is induced by some norm.
    [Show full text]
  • Rajeev Motwani
    THEORY OF COMPUTING, Volume 8 (2012), pp. 55–68 www.theoryofcomputing.org SPECIAL ISSUE IN HONOR OF RAJEEV MOTWANI Rajeev Motwani (1962-2009) Prabhakar Raghavan∗ Received: September 13, 2010; published: March 31, 2012. Abstract: Rajeev Motwani was a pre-eminent theoretical computer scientist of his genera- tion, a technology thought leader, an insightful venture capitalist, and a mentor to some of the most influential entrepreneurs in Silicon Valley in the first decade of the 21st century. This article presents an overview of Rajeev’s research, and provides a window to his early life and the various influences that shaped his research and professional career—it is a small celebration of his wonderful life and many achievements. ACM Classification: K.2/People, F.2.2 AMS Classification: 01A70, 68-00 Key words and phrases: biography 1 Early Life and Education Rajeev Motwani was born on March 24, 1962 in the Indian city of Jammu to Lieutenant Colonel Hotchand Motwani, an officer in the Indian Army, and Namita Motwani (nee´ Sushila). His family included brothers Sanjeev and Suneev. Given his father’s army career, Rajeev’s family moved often and lived in various parts of India before settling down in New Delhi. Those who knew Rajeev as a young boy remember him as an avid reader. When Rajeev was seven, his father was stationed in the scenic town of Devlali near Mumbai, India. His family would walk a kilometer to the local library to get books, and the seven-year-old Rajeev would be seen reading the books ∗Based on contributions by Sanjeev Arora, Gautam Bhargava, Piotr Indyk, Asha Jadeja, Sanjeev Motwani, Prabhakar Raghavan, and G.
    [Show full text]